Networking

Networking is the infrastructure layer that everything else depends on. Services can't communicate, users can't connect, and data can't replicate without it. A working understanding of IP addressing, DNS, certificates, and network boundaries is essential for operating reliable systems.

IP Addressing

Every device on a network needs an address. IPv4 addresses (like 192.168.1.1) are the familiar format — four octets, roughly 4.3 billion possible addresses, long since exhausted. IPv6 provides a vastly larger address space but adoption remains gradual.

CIDR notation (like 10.0.0.0/24) describes a range of addresses. The number after the slash indicates how many bits are fixed — /24 means 256 addresses, /16 means 65,536. Understanding CIDR is essential for configuring subnets, firewall rules, and access controls.

Private address ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) are used within internal networks. NAT (Network Address Translation) allows devices with private addresses to communicate with the public internet through a shared public IP.

DNS

The Domain Name System translates human-readable names to IP addresses. When a browser requests example.com, DNS resolvers walk a hierarchy of nameservers to find the corresponding IP address.

Key record types: A records map names to IPv4 addresses. AAAA records map to IPv6. CNAME records create aliases. MX records direct email. TXT records carry arbitrary metadata (often used for domain verification and email security). SRV records enable service discovery by advertising the host and port for a service.

TTL (Time to Live) controls how long DNS responses are cached. A short TTL allows faster changes but increases query load. A long TTL is more efficient but means changes propagate slowly.

Internally, DNS is often used for service discovery — services find each other by name rather than hardcoded IP addresses. This is fundamental in container orchestration environments where IP addresses are ephemeral.

Certificates and TLS

Certificates bind a public key to an identity (typically a domain name) and are signed by a trusted Certificate Authority (CA). When your browser connects to a website over HTTPS, it verifies the server's certificate against a set of trusted CAs.

Certificate chains establish trust hierarchically: a root CA signs an intermediate CA, which signs the server certificate. The browser trusts the root, and trust flows down the chain.

Let's Encrypt provides free, automated certificates through the ACME protocol, removing cost and manual renewal as barriers to TLS adoption.

Mutual TLS (mTLS) extends this model so that both sides verify each other's identity — the server verifies the client's certificate, and the client verifies the server's. This is common for service-to-service communication within private networks.

Private Networks

VPCs (Virtual Private Clouds) provide isolated network environments in cloud infrastructure. Resources within a VPC communicate freely; access from outside is controlled by security groups and network ACLs.

VPNs extend private network access to remote users or other networks. WireGuard has become the modern default — it's fast, simple, and uses state-of-the-art cryptography with a minimal codebase.

Network segmentation divides a network into zones with controlled boundaries between them. A database shouldn't be accessible from the same network segment as a public-facing web server. Segmentation limits the blast radius of a breach.

Zero-trust networking takes this further: no network location is inherently trusted. Every request is authenticated and authorized regardless of where it originates. This model assumes the network is compromised and designs accordingly.

For practical implementation of these concepts — firewall rules, security groups, Kubernetes network policies — see network-isolation. For the authentication layer that zero-trust depends on, see authentication-authorization.